T1498.002

Reflection Amplification

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target using third-party server intermediaries (reflectors). The attacker sends UDP packets to publicly accessible servers with the victim's spoofed source IP address, causing those servers to direct large responses at the victim. This technique exploits protocols whose responses are significantly larger than requests — known as amplification. Prominent amplification vectors include DNS (ANY queries, amplification factor ~28–54x), NTP (monlist command, up to 700x), memcached UDP (up to 51,200x), SSDP (up to 30x), CLDAP/LDAP (up to 70x), and CharGen (up to 358x). Because UDP allows source IP spoofing without a three-way handshake, attackers can direct enormous response volumes at a victim with minimal bandwidth cost. Multiple compromised systems (botnets) are commonly used to multiply the effect. Impacts include network link saturation, upstream provider congestion, and complete unavailability of internet-facing services.

Microsoft Sentinel / Defender

kusto

let AmplificationPorts = dynamic([53, 123, 11211, 1900, 389, 5353, 161, 19, 5683, 1434, 17, 520, 1194]);
let SamplingWindow = 5m;
let InboundFloodThreshold = 500;
let UniqueSourceThreshold = 25;
// Part 1: Victim-side detection — inbound flood from reflectors (CommonSecurityLog / firewall)
// Reflectors respond FROM amplification service ports TO the spoofed victim IP
let InboundFlood =
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where Protocol =~ "UDP"
    | where SourcePort in (AmplificationPorts)
    | summarize
        ConnectionCount = count(),
        UniqueSourceIPs = dcount(SourceIP),
        TotalBytesReceived = sum(ReceivedBytes),
        AmplificationPortsSeen = make_set(SourcePort, 10),
        SampleSourceIPs = make_set(SourceIP, 5)
      by DestinationIP, bin(TimeGenerated, SamplingWindow)
    | where ConnectionCount > InboundFloodThreshold or UniqueSourceIPs > UniqueSourceThreshold
    | extend
        DetectionType = "Inbound Reflection Flood (Victim)",
        AttackType = case(
            AmplificationPortsSeen has "53",    "DNS Amplification",
            AmplificationPortsSeen has "123",   "NTP Amplification",
            AmplificationPortsSeen has "11211", "Memcached Amplification",
            AmplificationPortsSeen has "1900",  "SSDP Amplification",
            AmplificationPortsSeen has "389",   "CLDAP Amplification",
            AmplificationPortsSeen has "1434",  "MSSQL/SSDP Amplification",
            AmplificationPortsSeen has "161",   "SNMP Amplification",
            AmplificationPortsSeen has "5683",  "CoAP Amplification",
            AmplificationPortsSeen has "17",    "CharGen Amplification",
            "Generic Reflection Amplification"
        ),
        GbReceived = round(toreal(TotalBytesReceived) / 1073741824.0, 3)
    | project TimeGenerated, AffectedIP = DestinationIP, AttackType, DetectionType, ConnectionCount, UniqueSourceIPs, GbReceived, AmplificationPortsSeen, SampleSourceIPs;
// Part 2: Attacker/Bot-side detection — endpoint making high-volume outbound UDP to many amplification-port IPs
// This catches compromised hosts participating in a DDoS botnet
let OutboundAttack =
    DeviceNetworkEvents
    | where Timestamp > ago(1h)
    | where Protocol =~ "Udp"
    | where RemotePort in (AmplificationPorts)
    | where RemoteIPType == "Public"
    | summarize
        ConnectionCount = count(),
        UniqueDestinations = dcount(RemoteIP),
        PortsTargeted = make_set(RemotePort, 10),
        SampleDestIPs = make_set(RemoteIP, 5)
      by DeviceName, LocalIP, InitiatingProcessFileName, bin(Timestamp, SamplingWindow)
    | where UniqueDestinations > 50 or ConnectionCount > 1000
    | extend
        DetectionType = "Outbound to Amplifiers (Bot/Attacker)",
        AttackType = case(
            PortsTargeted has "53",    "DNS Amplification Sender",
            PortsTargeted has "123",   "NTP Amplification Sender",
            PortsTargeted has "11211", "Memcached Amplification Sender",
            PortsTargeted has "1900",  "SSDP Amplification Sender",
            PortsTargeted has "389",   "CLDAP Amplification Sender",
            "Generic Amplification Sender"
        ),
        GbReceived = 0.0
    | project
        TimeGenerated = Timestamp,
        AffectedIP = LocalIP,
        AttackType,
        DetectionType,
        ConnectionCount,
        UniqueSourceIPs = UniqueDestinations,
        GbReceived,
        AmplificationPortsSeen = PortsTargeted,
        SampleSourceIPs = SampleDestIPs;
InboundFlood
| union OutboundAttack
| sort by ConnectionCount desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Traffic Content Microsoft Defender for Endpoint Azure NSG Flow Logs / CommonSecurityLog

Required Tables

CommonSecurityLog DeviceNetworkEvents

False Positives

Legitimate high-traffic DNS or NTP servers receiving large volumes of resolution requests from many clients — an authoritative DNS server may see hundreds of unique source IPs per minute normally
CDN or load balancer nodes that legitimately receive high UDP traffic volumes from distributed clients
Network scanning tools (nmap, masscan) running authorized reconnaissance that contact many amplification-port hosts in bulk
Misconfigured or chatty IoT devices sending repeated SSDP or mDNS discovery packets that aggregate to threshold levels
Cloud environments during peak load where auto-scaling triggers many simultaneous DNS lookups from newly spawned instances

Splunk

spl

index=network (sourcetype=firewall OR sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="stream:udp" OR sourcetype=netflow OR sourcetype="bro:conn" OR sourcetype="suricata" OR sourcetype="zeek:conn")
  transport=udp
  (src_port=53 OR src_port=123 OR src_port=11211 OR src_port=1900 OR src_port=389 OR src_port=5353 OR src_port=161 OR src_port=17 OR src_port=19 OR src_port=5683 OR src_port=1434 OR src_port=520)
| eval AttackType=case(
    src_port==53,    "DNS Amplification",
    src_port==123,   "NTP Amplification",
    src_port==11211, "Memcached Amplification",
    src_port==1900,  "SSDP Amplification",
    src_port==389,   "CLDAP Amplification",
    src_port==161,   "SNMP Amplification",
    src_port==17,    "QOTD Amplification",
    src_port==19,    "CharGen Amplification",
    src_port==5683,  "CoAP Amplification",
    src_port==1434,  "MSSQL Amplification",
    src_port==520,   "RIP Amplification",
    1==1,            "Generic Reflection Amplification"
)
| bin _time span=5m
| stats
    count as ConnectionCount,
    dc(src_ip) as UniqueSourceIPs,
    sum(bytes_in) as TotalBytesReceived,
    values(src_port) as AmplificationPortsSeen,
    values(AttackType) as AttackTypes,
    list(src_ip) as SourceIPList
  by _time, dest_ip
| where ConnectionCount > 500 OR UniqueSourceIPs > 25
| eval GbReceived=round(TotalBytesReceived/1073741824, 3)
| eval PrimaryAttackType=mvindex(AttackTypes, 0)
| eval SampleSourceIPs=mvjoin(mvrange(0, if(mvcount(SourceIPList) < 5, mvcount(SourceIPList), 5), 1) | foreach X [eval result=mvindex(SourceIPList, X)], ", ")
| eval RiskScore=case(
    ConnectionCount > 10000 OR UniqueSourceIPs > 500, "Critical",
    ConnectionCount > 2000 OR UniqueSourceIPs > 100,  "High",
    ConnectionCount > 500  OR UniqueSourceIPs > 25,   "Medium",
    1==1, "Low"
)
| table _time, dest_ip, PrimaryAttackType, RiskScore, ConnectionCount, UniqueSourceIPs, GbReceived, AmplificationPortsSeen
| rename _time as TimeWindow, dest_ip as VictimIP
| sort - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Flow Network Traffic: Network Traffic Content Zeek/Bro Connection Logs Firewall Flow Logs (PAN-OS, Cisco ASA)

Required Sourcetypes

pan:traffic cisco:asa stream:udp netflow bro:conn zeek:conn suricata

False Positives

Authoritative DNS servers or NTP stratum servers that legitimately receive high-volume responses from recursive resolvers during normal operations
Load-balanced application tiers receiving legitimate UDP traffic from many geographically distributed clients
Network operations authorized scanning of UDP amplification vectors for vulnerability assessment purposes
High-density cloud workloads where many VMs simultaneously perform DNS lookups at startup (e.g., Kubernetes pod scaling events)
SSDP traffic in office networks with many UPnP-enabled IoT devices

Elastic Security (EQL)

eql

FROM logs-network*, logs-endpoint.events.network*
| WHERE @timestamp > NOW() - 1 hour
| WHERE network.transport == "udp"
| WHERE source.port IN (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
| EVAL attack_type = CASE(
    source.port == 53,    "DNS Amplification",
    source.port == 123,   "NTP Amplification",
    source.port == 11211, "Memcached Amplification",
    source.port == 1900,  "SSDP Amplification",
    source.port == 389,   "CLDAP Amplification",
    source.port == 5353,  "mDNS Amplification",
    source.port == 161,   "SNMP Amplification",
    source.port == 17,    "QOTD Amplification",
    source.port == 19,    "CharGen Amplification",
    source.port == 5683,  "CoAP Amplification",
    source.port == 1434,  "MSSQL Amplification",
    source.port == 520,   "RIP Amplification",
    "Generic Reflection Amplification"
  )
| STATS
    connection_count    = COUNT(*),
    unique_source_ips   = COUNT_DISTINCT(source.ip),
    total_bytes_in      = SUM(destination.bytes),
    attack_types        = VALUES(attack_type),
    sample_source_ips   = VALUES(source.ip)
  BY destination.ip, BUCKET(@timestamp, 5 minutes)
| WHERE connection_count > 500 OR unique_source_ips > 25
| EVAL gb_received = ROUND(total_bytes_in / 1073741824.0, 3)
| EVAL risk_score = CASE(
    connection_count > 10000 OR unique_source_ips > 500, "Critical",
    connection_count > 2000  OR unique_source_ips > 100, "High",
    connection_count > 500   OR unique_source_ips > 25,  "Medium",
    "Low"
  )
| KEEP `destination.ip`, `BUCKET(@timestamp, 5 minutes)`, attack_types, risk_score, connection_count, unique_source_ips, gb_received
| SORT connection_count DESC

critical severity high confidence

Data Sources

Network flow logs (Elastic Agent Network integration, Elastic Fleet) Firewall and UTM logs (Elastic integrations: Palo Alto PAN-OS, Fortinet, pfSense, Cisco ASA) Endpoint network events (Elastic Endpoint Security / Elastic Defend) NetFlow/IPFIX (Elastic Network Packet Capture or Logstash netflow codec) Network IDS/IPS (Suricata, Zeek via Filebeat module)

Required Tables

logs-network* logs-endpoint.events.network* logs-*.firewall* logs-suricata.* logs-zeek.*

False Positives

Public-facing DNS authoritative servers or high-throughput recursive resolvers — organizations hosting DNS infrastructure will see high volumes of UDP/53 responses directed at their server IPs that match the inbound flood pattern and will regularly exceed the connection count threshold
NTP stratum servers or synchronization bursts — time servers serving large fleets of clients, or mass clock-sync events following network outages or large-scale VM provisioning, can generate NTP response spikes (UDP/123) that exceed thresholds without indicating an attack
Authorized DDoS simulation exercises or red team operations — penetration testing engagements that include volumetric attack testing should be baselined and suppressed using Kibana exception containers scoped to known test windows and IP ranges
Anycast CDN or DNS provider PoPs — environments with routing that aggregates traffic from multiple CDN or DNS provider points of presence behind a single observed destination IP may exceed the unique source IP threshold for legitimate traffic
Large-scale SNMP polling infrastructure — environments with dense SNMP monitoring (UDP/161) from multiple managed network devices responding to a central collector will generate high connection counts matching this rule

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(STARTTIME, 'yyyy-MM-dd HH:mm') AS TimeWindow,
    destinationip AS VictimIP,
    COUNT(*) AS ConnectionCount,
    COUNT(DISTINCT sourceip) AS UniqueSourceIPs,
    SUM(sourcebytes) AS TotalBytesReceived,
    ROUND(SUM(sourcebytes) / 1073741824.0, 3) AS GbReceived,
    CASE
        WHEN sourceport = 53    THEN 'DNS Amplification'
        WHEN sourceport = 123   THEN 'NTP Amplification'
        WHEN sourceport = 11211 THEN 'Memcached Amplification'
        WHEN sourceport = 1900  THEN 'SSDP Amplification'
        WHEN sourceport = 389   THEN 'CLDAP Amplification'
        WHEN sourceport = 5353  THEN 'mDNS Amplification'
        WHEN sourceport = 161   THEN 'SNMP Amplification'
        WHEN sourceport = 17    THEN 'QOTD Amplification'
        WHEN sourceport = 19    THEN 'CharGen Amplification'
        WHEN sourceport = 5683  THEN 'CoAP Amplification'
        WHEN sourceport = 1434  THEN 'MSSQL Amplification'
        WHEN sourceport = 520   THEN 'RIP Amplification'
        ELSE 'Generic Reflection Amplification'
    END AS PrimaryAttackType,
    sourceport AS AmplificationPort
FROM flows
WHERE LAST 60 MINUTES
    AND transportprotocol = 17
    AND sourceport IN (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
GROUP BY
    DATEFORMAT(STARTTIME, 'yyyy-MM-dd HH:mm'),
    destinationip,
    sourceport,
    CASE
        WHEN sourceport = 53    THEN 'DNS Amplification'
        WHEN sourceport = 123   THEN 'NTP Amplification'
        WHEN sourceport = 11211 THEN 'Memcached Amplification'
        WHEN sourceport = 1900  THEN 'SSDP Amplification'
        WHEN sourceport = 389   THEN 'CLDAP Amplification'
        WHEN sourceport = 5353  THEN 'mDNS Amplification'
        WHEN sourceport = 161   THEN 'SNMP Amplification'
        WHEN sourceport = 17    THEN 'QOTD Amplification'
        WHEN sourceport = 19    THEN 'CharGen Amplification'
        WHEN sourceport = 5683  THEN 'CoAP Amplification'
        WHEN sourceport = 1434  THEN 'MSSQL Amplification'
        WHEN sourceport = 520   THEN 'RIP Amplification'
        ELSE 'Generic Reflection Amplification'
    END
HAVING COUNT(*) > 500 OR COUNT(DISTINCT sourceip) > 25
ORDER BY ConnectionCount DESC

critical severity high confidence

Data Sources

QRadar QFlow network flow collector (NetFlow v5/v9, IPFIX, sFlow) Firewall flow logs via QRadar DSM (Cisco ASA, Juniper SRX, Palo Alto PAN-OS, Fortinet FortiGate) IDS/IPS appliances via QRadar DSM (Snort, Suricata, Check Point) Router and switch NetFlow exports

Required Tables

flows

False Positives

Organizations hosting authoritative DNS servers or high-capacity recursive resolvers — legitimate DNS infrastructure regularly receives high volumes of UDP/53 responses from many distinct client IPs, which matches the victim-side flood pattern and may exceed both thresholds
NTP infrastructure or pool participants — NTP servers (pool.ntp.org members or enterprise stratum-2 servers) responding to many client sync requests generate high UDP/123 flow volumes that match the inbound flood signature
Authorized DDoS resilience testing or penetration testing engagements — volumetric testing exercises should be suppressed via QRadar Building Blocks referencing a managed IP group for known test sources and windows
SNMP management infrastructure at scale — network management systems polling hundreds of devices will receive high volumes of UDP/161 SNMP responses to a central collector IP, potentially exceeding the connection count threshold
mDNS/Bonjour-heavy environments — large office or campus networks with many Apple or IoT devices generating multicast DNS traffic (UDP/5353) may produce elevated connection counts from many unique source IPs to local subnets

Sumo Logic CSE

sql

_sourceCategory=network (firewall OR netflow OR zeek OR suricata OR "pan:traffic" OR "cisco:asa" OR "bro:conn" OR "stream:udp")
| where transport="udp" OR transport="UDP" OR proto="udp" OR proto="UDP" OR ip_proto="17"
| where src_port IN ("53","123","11211","1900","389","5353","161","17","19","5683","1434","520")
| eval attack_type=if(src_port="53","DNS Amplification",
    if(src_port="123","NTP Amplification",
    if(src_port="11211","Memcached Amplification",
    if(src_port="1900","SSDP Amplification",
    if(src_port="389","CLDAP Amplification",
    if(src_port="5353","mDNS Amplification",
    if(src_port="161","SNMP Amplification",
    if(src_port="17","QOTD Amplification",
    if(src_port="19","CharGen Amplification",
    if(src_port="5683","CoAP Amplification",
    if(src_port="1434","MSSQL Amplification",
    if(src_port="520","RIP Amplification",
    "Generic Reflection Amplification"))))))))))))
| timeslice 5m
| stats
    count as ConnectionCount,
    dcount(src_ip) as UniqueSourceIPs,
    sum(bytes_in) as TotalBytesReceived,
    values(src_port) as AmplificationPortsSeen,
    values(attack_type) as AttackTypes
  by _timeslice, dest_ip
| where ConnectionCount > 500 OR UniqueSourceIPs > 25
| eval GbReceived=round(TotalBytesReceived/1073741824,3)
| eval RiskScore=if(ConnectionCount>10000 OR UniqueSourceIPs>500,"Critical",
    if(ConnectionCount>2000 OR UniqueSourceIPs>100,"High",
    if(ConnectionCount>500 OR UniqueSourceIPs>25,"Medium","Low")))
| fields _timeslice, dest_ip, AttackTypes, RiskScore, ConnectionCount, UniqueSourceIPs, GbReceived, AmplificationPortsSeen
| sort by ConnectionCount desc
| rename _timeslice as TimeWindow, dest_ip as VictimIP

critical severity high confidence

Data Sources

Firewall/UTM logs (Palo Alto PAN-OS, Cisco ASA, Fortinet FortiGate, pfSense) NetFlow/IPFIX collectors (nfdump, ntopng, PRTG) Network IDS/IPS (Suricata, Snort, Zeek/Bro via Sumo Logic app) Cloud VPC flow logs (AWS VPC Flow Logs, GCP VPC Flow Logs, Azure NSG Flow Logs) Stream:UDP protocol metadata (Sumo Logic Cloud Syslog)

Required Tables

_sourceCategory=network

False Positives

Public DNS authoritative or recursive resolver infrastructure — organizations operating DNS servers exposed to the internet will receive high volumes of UDP/53 responses matching the flood pattern; exclude known DNS server IPs from dest_ip using a lookup table
NTP pool participants or enterprise time servers — NTP servers responding to large numbers of client sync requests, particularly during mass VM provisioning or daylight saving transitions, will generate high UDP/123 traffic volumes
Authorized red team or DDoS simulation testing — suppression should be applied via Sumo Logic Scheduled Views or alert suppression windows for known test IPs and time ranges
Cloud-native environments with NAT gateways or shared egress — cloud NAT gateways that aggregate UDP responses from many internal hosts to external services may inflate dest_ip connection counts for a single gateway IP
Large-scale SNMP environments — network monitoring platforms receiving SNMP trap responses (UDP/161) from hundreds of network devices to a central management server IP will regularly exceed the connection count threshold

Google Chronicle / SecOps

yaral

rule t1498_002_reflection_amplification_inbound {
  meta:
    author           = "df00tech Detection Engineering"
    description      = "Detects UDP reflection amplification DDoS attacks — high-volume inbound UDP flood from known amplification service ports targeting a single victim IP within a 5-minute window"
    mitre_attack_tactic   = "Impact"
    mitre_attack_technique = "T1498.002"
    mitre_attack_technique_name = "Network Denial of Service: Reflection Amplification"
    severity         = "HIGH"
    confidence       = "HIGH"
    rule_version     = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.ip_protocol = "UDP"
    $e.principal.port in (
      53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520
    )
    // Reflectors are public internet IPs — exclude RFC1918 sources
    not net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.principal.ip, "127.0.0.0/8")
    $victim_ip = $e.target.ip

  match:
    $victim_ip over 5m

  outcome:
    $connection_count     = count($e.metadata.id)
    $unique_source_ips    = count_distinct($e.principal.ip)
    $total_bytes_received = sum($e.network.received_bytes)
    $gb_received          = math.round(sum($e.network.received_bytes) / 1073741824.0, 3)
    $amplification_ports  = array_distinct($e.principal.port)

  condition:
    #e > 500
}

critical severity high confidence

Data Sources

Chronicle UDM NETWORK_CONNECTION events from any network log source Firewall/NGFW log feeds ingested into Chronicle (Palo Alto, Fortinet, Check Point) Network Detection and Response (NDR) platforms forwarding to Chronicle (Darktrace, ExtraHop, Vectra) Zeek/Suricata network sensor logs via Chronicle forwarder agent Cloud VPC flow logs normalized to UDM (Google Cloud, AWS, Azure via Chronicle ingestion)

Required Tables

UDM NETWORK_CONNECTION event type

False Positives

Organizations operating public-facing DNS infrastructure — authoritative nameservers or high-throughput resolvers with public IPs will receive many UDP/53 responses from external clients that match the flood pattern; allowlist known DNS server target IPs in the rule or add a reference list exclusion
NTP stratum servers responding to large client populations — time servers experiencing synchronization bursts from many clients simultaneously can generate high volumes of UDP/123 connections from diverse source IPs that trigger the 500-connection threshold
Authorized security testing and DDoS simulation exercises — Chronicle detection exclusions or reference list-based suppression should be applied for known red team source and target IP ranges during scheduled test windows
Multi-tenant cloud platforms with shared egress or anycast addressing — traffic from CDN PoPs or cloud NAT gateways may appear as high-volume UDP flows from many sources to a single aggregation point, inflating connection counts beyond the threshold
VOIP and real-time media platforms — SIP/RTP infrastructure receiving high volumes of UDP media streams may incidentally expose source ports matching amplification port ranges, particularly UDP/5353 in mDNS-aware environments

CrowdStrike LogScale (CQL)

cql

// Bot/attacker-side detection: endpoint sending high-volume UDP to amplification-port reflectors
// CrowdStrike Falcon endpoint telemetry is best suited for identifying compromised hosts
// participating in DDoS botnets; victim-side flood detection requires network sensor data

#event_simpleName = NetworkConnectIP4
| RemotePort in (53, 123, 11211, 1900, 389, 5353, 161, 17, 19, 5683, 1434, 520)
| Protocol = "UDP"
| groupBy(
    [ComputerName, LocalAddressIP4, FileName, UserName],
    function=[
        count(as=ConnectionCount),
        count(field=RemoteAddressIP4, distinct=true, as=UniqueDestinations),
        collect(field=RemotePort, limit=15, as=PortsTargeted)
    ]
  )
| where ConnectionCount > 1000 OR UniqueDestinations > 50
| AttackType := case {
    PortsTargeted = /\b53\b/    => "DNS Amplification Sender";
    PortsTargeted = /\b123\b/   => "NTP Amplification Sender";
    PortsTargeted = /11211/     => "Memcached Amplification Sender";
    PortsTargeted = /1900/      => "SSDP Amplification Sender";
    PortsTargeted = /\b389\b/   => "CLDAP Amplification Sender";
    PortsTargeted = /\b161\b/   => "SNMP Amplification Sender";
    PortsTargeted = /\b19\b/    => "CharGen Amplification Sender";
    PortsTargeted = /\b17\b/    => "QOTD Amplification Sender";
    PortsTargeted = /5683/      => "CoAP Amplification Sender";
    *                           => "Generic Amplification Sender";
  }
| sort(ConnectionCount, order=desc)
| table(
    [ComputerName, LocalAddressIP4, UserName, FileName, AttackType,
     ConnectionCount, UniqueDestinations, PortsTargeted]
  )

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor endpoint telemetry (NetworkConnectIP4 events) CrowdStrike Falcon for Network (network sensor, where licensed and deployed) CrowdStrike Falcon Insight XDR correlated network events

Required Tables

NetworkConnectIP4

False Positives

Network vulnerability scanners or asset discovery tools running on endpoints — tools such as Nmap, Masscan, or Rapid7 Nexpose conducting UDP port scans generate high volumes of connections to many unique destination IPs on DNS, SNMP, and other amplification ports that match the bot-side pattern
Authorized penetration testing tooling — red team frameworks or purpose-built DDoS testing tools (hping3, scapy scripts, t50) executing flood tests from designated attacker workstations will match both the UniqueDestinations and ConnectionCount thresholds
DNS stress testing and benchmarking tools — tools like dnsperf, dnsperftest, or flamethrower used for DNS infrastructure capacity planning send high-volume UDP/53 queries to many resolvers and will trigger the unique destinations threshold
Backup and replication software using UDP transport — some backup agents or distributed storage systems (Ceph, GlusterFS) use UDP for fast data replication across many storage node IPs, which may generate qualifying connection counts on storage-adjacent ports
Malware analysis sandboxes and detonation environments — endpoints intentionally executing malware samples that include DDoS bot payloads will generate exactly this traffic pattern by design; exclude known sandbox host IPs from the query results

Last updated: 2026-04-19 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1498.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Reflection Amplification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections